go.mod: experimental integration of gomodjail (library sandbox)

AkihiroSuda · AkihiroSuda · commit 3ec186fce48c · 2025-03-18T02:29:06.000+09:00
https://github.com/AkihiroSuda/gomodjail gomodjail imposes syscall restrictions on a specific set of Go modules (excepts ones that use unsafe pointers, reflections, etc.), so as to mitigate their potential vulnerabilities and supply chain attack vectors. Usage: ``` gomodjail run --go-mod=./go.mod -- nerdctl run hello-world ``` TODO: pack gomodjail, go.mod, and nerdctl into a single binary Hint: use `git diff --word-diff` for reviewing the changes in this commit Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -299,6 +299,9 @@ jobs:
         run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false
       - name: "Test (network driver=slirp4netns, port driver=builtin) (flaky)"
         run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true
+      - name: "Smoke test with gomodjail (may fail; not a blocker for merging PRs)"
+        # TODO: replace /usr/local/bin/nerdctl with a gomodjail wrapper and run the entire integration tests
+        run: docker run -t --rm --privileged ${TEST_TARGET} gomodjail --go-mod=/go/src/github.com/containerd/nerdctl/go.mod -- nerdctl run --rm hello-world
 
   build:
     timeout-minutes: 5
diff --git a/Dockerfile b/Dockerfile
@@ -49,6 +49,7 @@ ARG GOTESTSUM_VERSION=v1.12.0
 ARG NYDUS_VERSION=v2.3.0
 ARG SOCI_SNAPSHOTTER_VERSION=0.8.0
 ARG KUBO_VERSION=v0.32.1
+ARG GOMODJAIL_VERSION=master
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1 AS xx
 
@@ -116,6 +117,16 @@ RUN xx-go --wrap && \
   make build && \
   xx-verify --static cmd/ipfs/ipfs && cp -a cmd/ipfs/ipfs /out/${TARGETARCH}
 
+FROM build-base-debian AS build-gomodjail
+ARG GOMODJAIL_VERSION
+ARG TARGETARCH
+RUN git clone https://github.com/AkihiroSuda/gomodjail.git /go/src/github.com/AkihiroSuda/gomodjail
+WORKDIR /go/src/github.com/AkihiroSuda/gomodjail
+RUN git checkout ${GOMODJAIL_VERSION} && \
+  mkdir -p /out/${TARGETARCH}
+RUN GO=xx-go STATIC=1 make && \
+  xx-verify --static _output/bin/gomodjail && cp -a _output/bin/gomodjail /out/${TARGETARCH}
+
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS build-base
 RUN apk add --no-cache make git curl
 RUN git config --global advice.detachedHead false
@@ -296,6 +307,7 @@ RUN fname="soci-snapshotter-${SOCI_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TAR
   tar -C /usr/local/bin -xvf "${fname}" soci soci-snapshotter-grpc
 # enable offline ipfs for integration test
 COPY --from=build-kubo /out/${TARGETARCH:-amd64}/* /usr/local/bin/
+COPY --from=build-gomodjail /out/${TARGETARCH:-amd64}/* /usr/local/bin/
 COPY ./Dockerfile.d/test-integration-etc_containerd-stargz-grpc_config.toml /etc/containerd-stargz-grpc/config.toml
 COPY ./Dockerfile.d/test-integration-ipfs-offline.service /usr/local/lib/systemd/system/
 COPY ./Dockerfile.d/test-integration-buildkit-nerdctl-test.service /usr/local/lib/systemd/system/
diff --git a/go.mod b/go.mod
@@ -1,3 +1,4 @@
+//gomodjail:confined
 module github.com/containerd/nerdctl/v2
 
 go 1.23.0
@@ -9,23 +10,23 @@ require (
 	github.com/compose-spec/compose-go/v2 v2.4.9
 	github.com/containerd/accelerated-container-image v1.3.0
 	github.com/containerd/cgroups/v3 v3.0.5
-	github.com/containerd/console v1.0.4
+	github.com/containerd/console v1.0.4 //gomodjail:unconfined
 	github.com/containerd/containerd/api v1.8.0
-	github.com/containerd/containerd/v2 v2.0.3
-	github.com/containerd/continuity v0.4.5
+	github.com/containerd/containerd/v2 v2.0.3 //gomodjail:unconfined
+	github.com/containerd/continuity v0.4.5 //gomodjail:unconfined
 	github.com/containerd/errdefs v1.0.0
-	github.com/containerd/fifo v1.1.0
+	github.com/containerd/fifo v1.1.0 //gomodjail:unconfined
 	github.com/containerd/go-cni v1.1.12
 	github.com/containerd/imgcrypt/v2 v2.0.0
 	github.com/containerd/log v0.1.0
 	github.com/containerd/nerdctl/mod/tigron v0.0.0
 	github.com/containerd/nydus-snapshotter v0.15.0
-	github.com/containerd/platforms v1.0.0-rc.1
+	github.com/containerd/platforms v1.0.0-rc.1 //gomodjail:unconfined
 	github.com/containerd/stargz-snapshotter v0.16.3
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3
 	github.com/containerd/stargz-snapshotter/ipfs v0.16.3
 	github.com/containerd/typeurl/v2 v2.2.3
-	github.com/containernetworking/cni v1.2.3
+	github.com/containernetworking/cni v1.2.3 //gomodjail:unconfined
 	github.com/containernetworking/plugins v1.6.2
 	github.com/coreos/go-iptables v0.8.0
 	github.com/coreos/go-systemd/v22 v22.5.0
@@ -35,26 +36,26 @@ require (
 	github.com/docker/docker v28.0.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-units v0.5.0
-	github.com/fahedouch/go-logrotate v0.2.1
-	github.com/fatih/color v1.18.0
+	github.com/fahedouch/go-logrotate v0.2.1 //gomodjail:unconfined
+	github.com/fatih/color v1.18.0 //gomodjail:unconfined
 	github.com/fluent/fluent-logger-golang v1.9.0
 	github.com/fsnotify/fsnotify v1.8.0
 	github.com/go-viper/mapstructure/v2 v2.2.1
 	github.com/ipfs/go-cid v0.5.0
 	github.com/klauspost/compress v1.18.0
-	github.com/mattn/go-isatty v0.0.20
+	github.com/mattn/go-isatty v0.0.20 //gomodjail:unconfined
 	github.com/moby/sys/mount v0.3.4
 	github.com/moby/sys/signal v0.7.1
-	github.com/moby/sys/userns v0.1.0
-	github.com/moby/term v0.5.2
-	github.com/muesli/cancelreader v0.2.2
+	github.com/moby/sys/userns v0.1.0 //gomodjail:unconfined
+	github.com/moby/term v0.5.2 //gomodjail:unconfined
+	github.com/muesli/cancelreader v0.2.2 //gomodjail:unconfined
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/pelletier/go-toml/v2 v2.2.3
-	github.com/rootless-containers/bypass4netns v0.4.2
-	github.com/rootless-containers/rootlesskit/v2 v2.3.4
-	github.com/spf13/cobra v1.9.1
+	github.com/rootless-containers/bypass4netns v0.4.2 //gomodjail:unconfined
+	github.com/rootless-containers/rootlesskit/v2 v2.3.4 //gomodjail:unconfined
+	github.com/spf13/cobra v1.9.1 //gomodjail:unconfined
 	github.com/spf13/pflag v1.0.6
 	github.com/vishvananda/netlink v1.3.0
 	github.com/vishvananda/netns v0.0.5
@@ -63,8 +64,8 @@ require (
 	golang.org/x/crypto v0.36.0
 	golang.org/x/net v0.37.0
 	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.31.0
-	golang.org/x/term v0.30.0
+	golang.org/x/sys v0.31.0 //gomodjail:unconfined
+	golang.org/x/term v0.30.0 //gomodjail:unconfined
 	golang.org/x/text v0.23.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
@@ -105,6 +106,7 @@ require (
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/symlink v0.3.0 // indirect
+	//gomodjail:unconfined
 	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
@@ -118,6 +120,7 @@ require (
 	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sasha-s/go-deadlock v0.3.5 // indirect
+	//gomodjail:unconfined
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/smallstep/pkcs7 v0.1.1 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
@@ -135,7 +138,9 @@ require (
 	go.opentelemetry.io/otel/trace v1.31.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422 // indirect
+	//gomodjail:unconfined
 	google.golang.org/grpc v1.69.4 // indirect
+	//gomodjail:unconfined
 	google.golang.org/protobuf v1.36.2 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )

-Original file line number
+Diff line change
 +//gomodjail:confined
 module github.com/containerd/nerdctl/v2
 go 1.23.0
 	github.com/compose-spec/compose-go/v2 v2.4.9
 	github.com/containerd/accelerated-container-image v1.3.0
 	github.com/containerd/cgroups/v3 v3.0.5
 -	github.com/containerd/console v1.0.4
 +	github.com/containerd/console v1.0.4 //gomodjail:unconfined
 	github.com/containerd/containerd/api v1.8.0
 -	github.com/containerd/containerd/v2 v2.0.3
 -	github.com/containerd/continuity v0.4.5
 +	github.com/containerd/containerd/v2 v2.0.3 //gomodjail:unconfined
 +	github.com/containerd/continuity v0.4.5 //gomodjail:unconfined
 	github.com/containerd/errdefs v1.0.0
 -	github.com/containerd/fifo v1.1.0
 +	github.com/containerd/fifo v1.1.0 //gomodjail:unconfined
 	github.com/containerd/go-cni v1.1.12
 	github.com/containerd/imgcrypt/v2 v2.0.0
 	github.com/containerd/log v0.1.0
 	github.com/containerd/nerdctl/mod/tigron v0.0.0
 	github.com/containerd/nydus-snapshotter v0.15.0
 -	github.com/containerd/platforms v1.0.0-rc.1
 +	github.com/containerd/platforms v1.0.0-rc.1 //gomodjail:unconfined
 	github.com/containerd/stargz-snapshotter v0.16.3
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3
 	github.com/containerd/stargz-snapshotter/ipfs v0.16.3
 	github.com/containerd/typeurl/v2 v2.2.3
 -	github.com/containernetworking/cni v1.2.3
 +	github.com/containernetworking/cni v1.2.3 //gomodjail:unconfined
 	github.com/containernetworking/plugins v1.6.2
 	github.com/coreos/go-iptables v0.8.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/docker/docker v28.0.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-units v0.5.0
 -	github.com/fahedouch/go-logrotate v0.2.1
 -	github.com/fatih/color v1.18.0
 +	github.com/fahedouch/go-logrotate v0.2.1 //gomodjail:unconfined
 +	github.com/fatih/color v1.18.0 //gomodjail:unconfined
 	github.com/fluent/fluent-logger-golang v1.9.0
 	github.com/fsnotify/fsnotify v1.8.0
 	github.com/go-viper/mapstructure/v2 v2.2.1
 	github.com/ipfs/go-cid v0.5.0
 	github.com/klauspost/compress v1.18.0
 -	github.com/mattn/go-isatty v0.0.20
 +	github.com/mattn/go-isatty v0.0.20 //gomodjail:unconfined
 	github.com/moby/sys/mount v0.3.4
 	github.com/moby/sys/signal v0.7.1
 -	github.com/moby/sys/userns v0.1.0
 -	github.com/moby/term v0.5.2
 -	github.com/muesli/cancelreader v0.2.2
 +	github.com/moby/sys/userns v0.1.0 //gomodjail:unconfined
 +	github.com/moby/term v0.5.2 //gomodjail:unconfined
 +	github.com/muesli/cancelreader v0.2.2 //gomodjail:unconfined
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/pelletier/go-toml/v2 v2.2.3
 -	github.com/rootless-containers/bypass4netns v0.4.2
 -	github.com/rootless-containers/rootlesskit/v2 v2.3.4
 -	github.com/spf13/cobra v1.9.1
 +	github.com/rootless-containers/bypass4netns v0.4.2 //gomodjail:unconfined
 +	github.com/rootless-containers/rootlesskit/v2 v2.3.4 //gomodjail:unconfined
 +	github.com/spf13/cobra v1.9.1 //gomodjail:unconfined
 	github.com/spf13/pflag v1.0.6
 	github.com/vishvananda/netlink v1.3.0
 	github.com/vishvananda/netns v0.0.5
 	golang.org/x/crypto v0.36.0
 	golang.org/x/net v0.37.0
 	golang.org/x/sync v0.12.0
 -	golang.org/x/sys v0.31.0
 -	golang.org/x/term v0.30.0
 +	golang.org/x/sys v0.31.0 //gomodjail:unconfined
 +	golang.org/x/term v0.30.0 //gomodjail:unconfined
 	golang.org/x/text v0.23.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/symlink v0.3.0 // indirect
 +	//gomodjail:unconfined
 	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
 	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sasha-s/go-deadlock v0.3.5 // indirect
 +	//gomodjail:unconfined
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/smallstep/pkcs7 v0.1.1 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	go.opentelemetry.io/otel/trace v1.31.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422 // indirect
 +	//gomodjail:unconfined
 	google.golang.org/grpc v1.69.4 // indirect
 +	//gomodjail:unconfined
 	google.golang.org/protobuf v1.36.2 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
+)